linux/ubuntu: how to trace out clues about lost files?
28 views
Skip to first unread message
ping
Nov 3, 2012, 12:51:43 PM11/3/12
to linuxus...@googlegroups.com
folks:
I just realized, I might have lost a lot of log files in a folder and
I'm trying to find out what happened.
unfortunately I haven't put the folder of any log files inside it under
any version control systems (like git).
anyone knows any good/best tools/solutions/tracking techniques to find
out file lost info (when/how)?
and since lack of tools, I'm currently doing it manually:
1) tracing folders timestamps (mtime,atime,ctime),
but they are all hopelessly been updated:
ping@640g-laptop:~/vzlogs$ ls -ld
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
ping@640g-laptop:~/vzlogs$ ls -ldu
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
ping@640g-laptop:~/vzlogs$ ls -ldc
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
2) I guess there is no way to find out more a folder's creation time/etc)?
3) checking the history commands
export HISTTIMEFORMAT='%F %T '
history
unfortunately this only start from Oct 10.
ping@640g-laptop:~/vzlogs$ history | head
1 2012-10-10 14:27:54 cd photols
2 2012-10-10 14:27:54 ls
3 2012-10-10 14:27:54 cd ..
4 2012-10-10 14:27:54 ls
5 2012-10-10 14:27:54 cd /mnt/s
6 2012-10-10 14:27:54 ls
7 2012-10-10 14:27:54 ls -l
8 2012-10-10 14:27:54 df -h
9 2012-10-10 14:27:54 cd
10 2012-10-10 14:27:54 smbclient //pr
I found no related rm/mv commands here...
4) looking at the "earlist" files remaining in the folder:
ping@640g-laptop:~/vzlogs$ ls -ltr | head
total 76236
-rwxr-x--- 1 ping ping 105545 Oct 11 17:48 <file name removed>
-rwxr-x--- 1 ping ping 695642 Oct 12 17:18
-rwxr-x--- 1 ping ping 72309 Oct 15 16:54
-rwxr-x--- 1 ping ping 689058 Oct 15 19:20
-rwxr-x--- 1 ping ping 874119 Oct 16 16:29
-rwxr-x--- 1 ping ping 582633 Oct 16 16:42
-rwxr-x--- 1 ping ping 455800 Oct 16 17:52
-rwxr-x--- 1 ping ping 182588 Oct 19 18:01
-rwxr-x--- 1 ping ping 337036 Oct 20 11:31
so it Oct 11.
looked like sth happened before Oct 11...
I don't really know what happened, guess I upgraded from ubuntu10.04LTS
to 12.04LTS around that time but I'm not sure...
5) looking at system logs: /var/log/message*
gzip -cd /var/log/message* | grep "Oct "
nothing.
any other things I can check on?
I just realized, I might have lost a lot of log files in a folder and
I'm trying to find out what happened.
unfortunately I haven't put the folder of any log files inside it under
any version control systems (like git).
anyone knows any good/best tools/solutions/tracking techniques to find
out file lost info (when/how)?
and since lack of tools, I'm currently doing it manually:
1) tracing folders timestamps (mtime,atime,ctime),
but they are all hopelessly been updated:
ping@640g-laptop:~/vzlogs$ ls -ld
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
ping@640g-laptop:~/vzlogs$ ls -ldu
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
ping@640g-laptop:~/vzlogs$ ls -ldc
drwxr-x--- 1 ping ping 233472 Nov 2 13:03 .
2) I guess there is no way to find out more a folder's creation time/etc)?
3) checking the history commands
export HISTTIMEFORMAT='%F %T '
history
unfortunately this only start from Oct 10.
ping@640g-laptop:~/vzlogs$ history | head
1 2012-10-10 14:27:54 cd photols
2 2012-10-10 14:27:54 ls
3 2012-10-10 14:27:54 cd ..
4 2012-10-10 14:27:54 ls
5 2012-10-10 14:27:54 cd /mnt/s
6 2012-10-10 14:27:54 ls
7 2012-10-10 14:27:54 ls -l
8 2012-10-10 14:27:54 df -h
9 2012-10-10 14:27:54 cd
10 2012-10-10 14:27:54 smbclient //pr
I found no related rm/mv commands here...
4) looking at the "earlist" files remaining in the folder:
ping@640g-laptop:~/vzlogs$ ls -ltr | head
total 76236
-rwxr-x--- 1 ping ping 105545 Oct 11 17:48 <file name removed>
-rwxr-x--- 1 ping ping 695642 Oct 12 17:18
-rwxr-x--- 1 ping ping 72309 Oct 15 16:54
-rwxr-x--- 1 ping ping 689058 Oct 15 19:20
-rwxr-x--- 1 ping ping 874119 Oct 16 16:29
-rwxr-x--- 1 ping ping 582633 Oct 16 16:42
-rwxr-x--- 1 ping ping 455800 Oct 16 17:52
-rwxr-x--- 1 ping ping 182588 Oct 19 18:01
-rwxr-x--- 1 ping ping 337036 Oct 20 11:31
so it Oct 11.
looked like sth happened before Oct 11...
I don't really know what happened, guess I upgraded from ubuntu10.04LTS
to 12.04LTS around that time but I'm not sure...
5) looking at system logs: /var/log/message*
gzip -cd /var/log/message* | grep "Oct "
nothing.
any other things I can check on?
Reply all
Reply to author
Forward
0 new messages